Metacoda Security Plug-ins – Page 2

Metacoda Plug-ins Tip: hasPermissionCondition

This post continues a series of examples on Advanced Expression-Based Filters for Metacoda Plug-ins. The recent Metacoda Plug-ins 6.1 R2 release added support for a new hasPermissionCondition boolean attribute that can be used in any filter bar on a table of Access Control Entries (ACEs), such as the ACE Reviewer.

You can copy and paste the following into the filter bar of the Metacoda ACE Reviewer to only show ACEs that include permissions conditions, such as those used for SAS OLAP Member-Level Permissions, BI Row-Level Permissions, or Visual Analytics Conditional Grants:

#@ hasPermissionCondition

Here is an example of it in action:

ACE Reviewer hasPermissionCondition

Of course, if required, you can also negate it to filter out those rows with permission conditions:

#@ !hasPermissionCondition

If you have any questions about Metacoda Plug-ins, Advanced Expression-Based Filters, or hasPermissionCondition please leave a comment below.

Metacoda Plug-ins Tip: Compare Metadata Objects

One of the new additions in the recently released Metacoda Plug-ins 6.1 R2 is a Compare Metadata Objects feature. This is a something that several customers have requested, particularly for the comparison of SAS metadata security objects like ACTs, Users, Groups, and Roles. One of the most common requests was to be able to compare users, who are supposed to be almost identical, but are found to have different access. Being able to compare the two users to see which groups they have, or don’t have, in common helps to speed up troubleshooting.

With the new Compare Metadata Objects dialog, you can compare any two metadata objects to show similarities and differences. Whilst it can be used to do a basic comparison of any 2 metadata objects, specific attention has been given to aid in the comparison of security objects, including ACT Permission Patterns, ACT and ACE participation, applied ACTs and ACEs, user/group membership of groups and roles, and members of groups and roles.

There are several ways to access this feature. The first is to use SAS Management Console Tools menu:

… this opens the comparison dialog where you can proceed to search for, and select, the two objects you want to compare. Continue reading “Metacoda Plug-ins Tip: Compare Metadata Objects”

Metacoda Auth Domain Reviewer Libraries Tab

Last year I posted some information about a new Metacoda Auth Domain Reviewer plug-in that was planned for Metacoda Plug-ins 6.1. That Auth Domain Reviewer is now available with the recent Metacoda Plug-ins 6.1 R1 release and you may notice that it looks a little different to the screenshots I posted back then … it now has a Libraries tab.

The Libraries tab as was added based on feedback we got during early access testing by customers. They told us they would like to be able to see, for a selected authentication domain, all of the SAS® software libraries registered in metadata that are associated with that auth domain. That sounded like a great idea so we added it!

Thanks to those customers that suggested it and please keep those suggestions coming!

If you’d like to try out the new Auth Domain Reviewer plug-in you can login and download Metacoda Plug-ins 6.1 R1 from the Metacoda Customer Portal. If you don’t yet have a Metacoda login you can register for a free 30 day evaluation license to try the plug-ins in your own SAS platform installation.

Metacoda Auth Domain Reviewer

Update 05Mar2019: The Metadata Auth Domain Reviewer discussed in this blog post is now available with the Metacoda Plug-ins 6.1 R1 release, and also includes a new Libraries tab based on feedback from customers during early-access testing.

One of the new Metacoda Security Plug-ins features arriving in version 6.1 is the Auth Domain Reviewer. Like the other reviewers, this plug-in is used for investigating, documenting and testing how a SAS metadata security feature has been used within a particular SAS platform deployment. When I’m reviewing metadata security for a SAS platform I like to look at it from several different perspectives and authentication domains is one of them. I like to see:

What authentication domains have been added beyond the initial DefaultAuth?
How have they been used with respect to inbound logins?
How have they been used with respect to outbound logins and providing shared credentials for database access?
How have they been used with respect to 3rd party database system connections?
Are there any unused ones, possibly added by accident, that can be cleaned up?
Are there any seemingly duplicate ones that might be consolidated?

In the past it has been time-consuming to gather this information together, so this new plug-in Continue reading “Metacoda Auth Domain Reviewer”

Metacoda Plug-ins Tip: User’s Group Content Admin Permissions (Identity Permissions Explorer)

This tip was prompted by a SAS Communities question which I hear from time to time, essentially “How do I find out which groups a SAS user is a Portal Group Content Administrator for?” It can be answered using the Metacoda Identity Permissions Explorer but involves a few steps so I will outline them here.

To quote the SAS® 9.4 Intelligence Platform: Web Application Administration Guide, Group Content Administrator section:

A group content administrator is a user who has WriteMetadata permission for the respective group, and the group’s Portal permission tree. A group content administrator can share personal content with the group, and can edit or remove content that has been shared with the group. (Portal administrators have WriteMetadata permission for all group permission trees that are defined in metadata.)

So, to find out which groups a user is group content admin for, we need to look for all of the group portal permission trees where the user has a grant of the WM permission. This can be done quickly and easily using the Metacoda Identity Permissions Explorer. Below is a screenshot with numbered steps where we find out which groups Aaron Atkins (demoaaron), a fictitious Business Analyst, is a Portal Group Content Administrator for. Continue reading “Metacoda Plug-ins Tip: User’s Group Content Admin Permissions (Identity Permissions Explorer)”